My article below was co-authored with @darren and summarizes concepts from the ‘Cybersecurity for Finance Professionals’ module of my CPA’s Innovation and Technology Webinar. If you’d more details of the webinar, please contact me.

Sharing my article that was published in the Fall/Winter issue of CPA Daily Dividends magazine. Stay vigilant!

“When the invoice approval took me to a strange website, I knew something was wrong. Then, I realized I’d been hacked. I had that sinking feeling in my stomach: have I just shared all our corporate data with the internet?!?! I called the service desk and within seconds they locked my account and changed my passwords. A quick scan revealed nothing bad had happened. What a relief!…I later found out my vendor had been hacked several months ago and the hackers were monitoring their working practices looking for the best angle to exploit. The hackers had exploited the relationship I had with my vendor and sent me a phishing scam duplicate invoice.”

This example is a reminder of just how sophisticated hackers have become. It illustrates how fraudsters using phishing to build trust and find ways to exploit corporate data.

Here are some other examples of phishing attempts disguised as innocuous communications, taken from recent headlines:

  • City of Ottawa treasurer fell victim to US$100K phishing scam
  • ‘Easier Than Robbing A Bank:’ City of Chicago Almost Lost More Than $1 Million In #Phishing Scam
  • 24 Charged In Medical Supply Phone Scam Costing Medicare $1.2 Billion

Of course, the dollar amounts make for a catchy and attention-grabbing headline, but the negative impacts are not limited to just financial loss. Hackers cause system outages, damage to reputation, and sell corporate or organizational data, potentially impacting customers, suppliers and other stakeholders.

What are the clever tactics hackers use to trick potential victims?

Sophisticated hackers play the long game. They often spend weeks or even months gathering information and building a relationship before exploiting your data in very subtle ways. Hackers use clever social engineering techniques to influence or exploit targets. Here are some common characteristics they seek to exploit, along with examples:

  • Fear: A voicemail is left, saying an invoice is overdue and a call must be made urgently to avoid late payment penalties or service for a critical business application being discontinued.
  • Curiosity: Hackers use current events and news articles to take advantage of human curiosity. For example, after high-profile phishing scams, hackers send emails about safeguarding against phishing. However, the email contains an attachment with a virus.
  • Helpfulness: People like to help. Hackers target two or three employees in a company and send an email that appears to come from their manager. The email asks for the password to the finance system, stressing the password is needed so everyone gets paid on time.
  • Authority: People will oblige instructions from senior leaders. For example, “the CFO has agreed to buy this software, click here to approve the purchase”.

So as an accounting professional, how can you help the fight against hackers?

You, as a CPA, play an important role in:

  • Helping your organization assess their governance and risk management.
  • Advising on adequate business continuity and disaster recovery plans.
  • Quantifying risks and financial impact of breaches and stolen data.

Building a cybersecurity strategy

When getting started with a cybersecurity strategy, use a framework that starts small and can be built up over time. For example, the Centre for Internet Security (CIS) has three levels of implementation groups:

Cybersecurity

The other factor in selecting an implementation group is the sensitivity of the data you are managing or entrusted with. The more sensitive the data (regardless of your size and resources) the higher the implementation group.

Managing the risk

Cybersecurity is a complex, ever-changing business risk and the only effective way of dealing with these risks is to apply a holistic risk management approach.

Cybersecurity is a trade-off between ease of use and control. It may seem like a good idea to implement tighter controls and be really secure; however, that may create pain points and extra burden on day to day operations, and also increase costs for tools, monitoring, and personnel. It is important to carefully select and mitigate the risks most relevant to your company.

Leave a Reply

Your email address will not be published. Required fields are marked *